It comes as no surprise that cybersecurity is a hot topic again this month. It seems as if you can’t read the news without coming across a story about yet another ransomware attack or breach, many of which impact the healthcare industry. Imagine waking up one day, going into work, logging onto your computer, and then being hit with a popup demanding that you pay a ransom to get access to your files. What thoughts would be running through your head? Should I pay this? I need those files! Why is someone doing this to our organization? And finally, what could I have done to prevent this? Industry leaders this month gave us some great insight into the world of cybersecurity and what organizations can do to prevent future attacks.
The abundance of attacks and breaches obviously has to do with the industry moving from paper to digital records. Tom Toperczer, Director of Product Management, OmniJoin, Brother International Corporation said it best: “As the healthcare industry transitioned from paper to electronic health records, a bevy of patient protected health information (PHI) security issues emerged. The safe storage, access, and transfer of electronic PHI or “ePHI” became new concerns that continue to evolve as new technologies, such as video-based telehealth, are introduced.”
The more the industry evolves, the more security practices have to evolve along with it. Toperczer brings up another good point about signing a business associate agreement, which is something that companies should consider when dealing with sensitive information: “Web conferencing for telehealth, however, has been successfully used across the world for many years, but is only now becoming more widely adopted, especially with the service available on mobile devices. Due to this trend, healthcare organizations offering telehealth services are mitigating their ePHI breach liability risk. One way is signing a business associate agreement (BAA) with the telehealth technology vendor, just as they would with any other company that touches their patients’ data.”
Another good point was brought up this edition by Kurt Roemer, Chief Security Strategist at Citrix. In his best practices for organizations he cites “patching early, patching often.” Roemer says, “Patching and updating your systems and software is one of the simplest yet most effective actions against cyber intrusions, but far too many organizations don’t have an up-to-date strategy in place.”
It is apparent that the easiest, simplest tasks for preventing cybersecurity threats are to actually take those preventative measures. Healthcare organizations should certainly heed this advice. Keeping your systems and software up to date should be a priority.
Another interesting point was brought up by Perry Price, CEO/President and Co-founder for Revation Systems. He says it all comes down to policies and procedures, “Perhaps the most important aspect of network security and encryption for healthcare organizations to remember is that it begins with the implementation of stricter policies and procedures for healthcare contact center agents. Where increased security measures for networks and end-to-end encryption significantly improve the security of sensitive data flowing through contact centers, no solution will truly be effective unless the contact center has implemented and enforced strong policies and procedures inside the walls of the organization.”
The idea about implementing stricter policies and procedures ties back to the previous statement about patching early and often. Organizations should think about enforcing a policy about patching and updating systems.
Perry also brings up another interesting point regarding writing private and/or sensitive information down on paper. This is a big no-no, not only in the healthcare field but in many others. He has a great solution. Perry says, “Such policies may include prohibiting agents to write any sensitive data down on paper, and instead using a whiteboard to record information, as any PHI can easily be erased and disposed of. By implementing stricter policies in-house, healthcare contact centers can remain compliant, while still providing excellent customer service to patients.”
Perry’s suggestion of using a whiteboard is a great tip! Some staff members of an organization are used to doing things “the old fashioned way,” by writing things down on a piece of paper, and the whiteboard is an excellent compromise. I hope that all healthcare organizations consider the advice from the contributors on cybersecurity this month.
As always, thanks for reading. I welcome your feedback at [email protected]